Upload
eraser296
View
219
Download
0
Embed Size (px)
Citation preview
8/10/2019 Insidious Implicit Windows Trust Relationships
1/42
PLEASE STAND BY
Insidious Implicit Windows TrustRelationships
7 June 2013 BSides DetroitJames oster
6ote a9out where to &et these slides later and whether or not this is 9ein& recorded@
6ote to -ol s readin& these slides and notes directl(*the word TR)6SITI;6 in the notes is Must a reminderto me that I ha,e animations or transitions on thatslide@ Gou can i&nore it in the $D ,ersion@
6one o- the in-ormation presented here is ori&inal wor it:s all stu-- other people ha,e -i&ured out@ I:m
Must tr(in& to spread the nowled&e@
8/10/2019 Insidious Implicit Windows Trust Relationships
2/42
8/10/2019 Insidious Implicit Windows Trust Relationships
3/42
Who am I!
I do* Securit( assessments + penetration tests Incident response Whate,er other securit( related stu-- comes up
I ha,e* .1/ (ears o- e0perience in ,arious IT roles the last
.2 in IT securit(3 doin& lots o- di--erent stu-- BS%S3 %ISS$3 4%I5
8/10/2019 Insidious Implicit Windows Trust Relationships
4/42
Intended audience
6ot pentesters "the( alread( now this#
6on8securit( IT -ol s IT securit( -ol s who are 9us( with other thin&s Those tas ed with supportin& + de-endin&
Windows s(stems especiall(
8/10/2019 Insidious Implicit Windows Trust Relationships
5/42
8/10/2019 Insidious Implicit Windows Trust Relationships
6/42
Wh( this presentation!
6ot enou&h people now a9out this Some that now it don:t -ull( understand it $entesters will use this a&ainst (ou "common
pro9lem we -ind durin& assessments# Bad &u(s "internal and e ternal# will use this
a&ainst (ou )$T1 will use this a&ainst (ou
TR)6SITI;6
Be-ore I was an attac er I -ell into the second
cate&or(@
Remem9er* I didn:t disco,er an( o- the in-ormationpresented here@ I:m Must &ood at summariFin& ande plainin&@
8/10/2019 Insidious Implicit Windows Trust Relationships
7/42
Steps o- )$T st(le intrusion
1# Spearphish user
2# ;wn user:s 9o
3# T5IS
TR)6SITI;6
$art o- step 3 is e ploitin& implied trust relationships@
;-ten this is a 9i& part o- Hmo,e laterall( andHescalate pri,ile&es @
6ow that (ou:re -ull( con,inced how important thistopic is let:s &o@
8/10/2019 Insidious Implicit Windows Trust Relationships
8/42
Two inds o- trusts
' plicit these (ou intend to e ist Implicit "implied# these (ou don:t
8/10/2019 Insidious Implicit Windows Trust Relationships
9/42
' plicit
?oanin& (our car e(s to (our -riend "to use(our car#
Domain ) trusts Domain B to authenticateusers
5osts@eAui, "don:t do this# We9 sin&le si&n on "e@&@ ;penID#
TR)6SITI;6
In the last case the Rel(in& $arties "we9sites (ou:re
tr(in& to lo&in to# e plicitl( trust third8part( Identit($ro,iders "e& 4oo&le# to authenticate (ou@
8/10/2019 Insidious Implicit Windows Trust Relationships
10/42
Implicit
' tra set o- house e(s are in the &lo,e 9o ser:s password in domain ) CC their password
in domain B ?in edIn password CC online 9an in& password 'mail account -or online 9an in& password
resets CC online 9an in& Same local administrator password on all client
$%s
TR)6SITI;6
8/10/2019 Insidious Implicit Windows Trust Relationships
11/42
Implicitl( Insidious
These are nast( thin&s att 5onan "not the whole hac 9ut Twitter E
4mail E me@com#http*++www@wired@com+&ad&etla9+2012+0/+apple8amaFon8mat8honan8hac in&+all+
)$T1 " andiant report# http*++intelreport@mandiant@com+ Separate $%I domain Windows to non8Windows
TR)6SITI;6
The( wanted att:s Twitter account@ It used his
4mail account -or password reset+reco,er( so the(needed that -irst@ 5is 4mail account used hisme@com ")pple# account -or passwordreset+reco,er(@ The( new how to &et )ppleaccounts "a di--erent attac # so once the( &ot thatthe( &ot his 4mail and Twitter -or -ree@
The last two are stories -rom assessments@
8/10/2019 Insidious Implicit Windows Trust Relationships
12/42
ocus on Windows
Gou:,e &ot the &eneral idea ?et:s see wh( implicit trusts matter so much in
Windows
8/10/2019 Insidious Implicit Windows Trust Relationships
13/42
irst ? + 6T?
? + 6T? password hashin& al&orithm ? + 6T? networ authentication protocol These are two di--erent thin&s althou&h the -irst is
used in the second I reall( wish one o- these was called somethin&
else 9ecause this is con-usin&
I will tr( and sa( H6T? hash and H6T?authentication to di--erentiate the two
TR)6SITI;6
I:m Must &oin& to sa( 6T? -rom now on since it:s
easier and this all applies to en,ironments thatHaren:t usin& ? an(more an(wa(@
8/10/2019 Insidious Implicit Windows Trust Relationships
14/42
6T? password hashin& al&orithm
%reates a -i ed8len&th hash -rom a,aria9le8len&th password
or our purposes similar enou&h to an( otherhashin& mechanism li e D or S5)81
'as( to &o -orward hard to &o 9ac ward 5ashes o- the password Hpassword *
? * ' 2%)%K7=1 ) )22=)3B10/ 3 )K%BKD 6T? * //=K 7')''/ B117)D0KBDD/30B7 /K%
6ote the lac o- salt
TR)6SITI;6
What does the lac o- salt mean!
%an use rain9ow ta9les@
sers with the same password will ha,e the samehash re&ardless o- username s(stem domain,ersion o- Windows lan&ua&e etc@
8/10/2019 Insidious Implicit Windows Trust Relationships
15/42
6T? networ authenticationprotocol
ain networ authentication protocol -orWindows "(eah Ler9eros in )cti,e Director(#
Steps*1# %reate 6T? hash o- password2# Blah 9lah3 client+ser,er challen&es3 9lah 9lah3# Do math and hashes with the 6T? hash and
challen&es3 send stu-- 9ac7 and -orth3 9lah 9lah 6ote the input to steps 2 and 9e(ond is Must the
6T? hash
TR)6SITI;6
The details o- steps 2 and 9e(ond don:t matter -or
our purposes@ The output o- step 1 is Must the 6T?hash o- the password with nothin& else added@
So what does this mean -or 6T? authentication!
What i- we ha,e a user:s hash 9ut don:t now theirpassword "couldn:t crac it whate,er#@
Doesn:t matter 9ecause the hash wor s Must as well@
8/10/2019 Insidious Implicit Windows Trust Relationships
16/42
5ashes CC passwords
"-or 6T? authentication# ;-ten called Hpass8the8hash "$T5# )nd not Must -or the one user -or all users who
ha,e the same password
8/10/2019 Insidious Implicit Windows Trust Relationships
17/42
Wh( so 9ad in Windows!
6T? authentication e,er(where Desi&n called -or sin&le si&n on "SS;# 5ashes CC passwords "-or all users with same
password# $er,asi,e pro9lem eas( to e ploit ses le&itimate protocols e istin& accounts Gou can:t tell the di--erence 9etween an
authentication that started with the password orone that started with the hash
TR)6SITI;6
)-ter all do (ou want to ha,e to re8t(pe (our
password -or e,er( new Windows resource (ours(stem connects to!
or SS; to wor the s(stem has to either now (ourpassword "or its hash in 6T? authentication# orha,e some to en "li e in Ler9eros#@
8/10/2019 Insidious Implicit Windows Trust Relationships
18/42
Windows implicit trustrelationship t(pes
?ocal account %ached credential )ccess to en
8/10/2019 Insidious Implicit Windows Trust Relationships
19/42
?ocal account
$assword hashes -or local accounts are storedlocall( on dis "persist as lon& as the accounte ists#
These can 9e accessed 9( an( local admin Remem9er that password hashes CC
passwords -or 6T? auth t(pes ,ia $T5 There-ore an( local admin can assume the
identit( o- an( local account on that 9o
TR)6SITI;6
8/10/2019 Insidious Implicit Windows Trust Relationships
20/42
?ocal account
;nce (ou ha,e the hashes (ou can tr( themother places
Gou can tr( them with other accounts )&ainst other similar s(stems "clients ser,ers
etc@# )&ainst the domain "or other domains# ?oo s li e re&ular Windows lo&on
successes+-ailures normal protocols
Gou mi&ht &uess that this password "hash# is thesame -or this same username on other s(stems@;-ten (ou:d 9e ri&ht@
Gou mi&ht &uess that this password "hash# is thesame -or other usernames on other s(stems@Sometimes (ou:d 9e ri&ht@
Sometimes it:s the same in the domain too@
8/10/2019 Insidious Implicit Windows Trust Relationships
21/42
?ocal account
;n a domain controller all domain accounts are Must Hlocal accounts in this sense
4et Hlocal admin on a domain controller &etthe hashes o- all domain accounts
Ga(>
This ma( seem o9,ious@ In order to compromise anentire domain and steal all o- its users: hashes (ou
Must need to compromise a domain controller and
(ou:re done@
8/10/2019 Insidious Implicit Windows Trust Relationships
22/42
%ached credentials
$assword hashes -or domain accounts ma( 9ecached on dis on domain8connected s(stems
)llow domain accounts to lo&on todomain8connected s(stems when notconnected to the domain "laptops#
$ersist -or con-i&ura9le N o- lo&ons These can 9e accessed 9( an( local admin
TR)6SITI;6
8/10/2019 Insidious Implicit Windows Trust Relationships
23/42
%ached credentials
These hashes can:t 9e used -or $T5 "the( aresalted#
To 9e use-ul (ou ha,e to crac the hashes too9tain the password ",eeeer( slow#
I- crac ed the password could then 9e used tolo&on to this domain account
The password could also 9e tried a&ainst otheraccounts in the domain or local on other
s(stems 9ut (ou had to crac it -irst
TR)6SITI;6
;- course i- the password is tri,ial it doesn:t matter
i- the crac in& is Hslow (ou:ll &et it in a -ew secondsan(wa(@
This has allowed me to compromise a domain 9utit:s reall( the least use-ul o- the three inds o- impliedtrusts@ So we:ll mo,e on@
8/10/2019 Insidious Implicit Windows Trust Relationships
24/42
)ccess to ens
%reated in memor( upon a success-ul interacti,elo&on
5old the user:s authentication in-ormation andother account attri9utes "&roup mem9erships etc@#used to authenticate and &ain authoriFation toother s(stems+o9Mects "ena9les SS; etc@#
6ot written to dis so erased 9( a re9oot 5owe,er not erased 9( lo&&in& o--
These can 9e accessed 9( an( local admin
TR)6SITI;6
Sometimes people call these Haccount to ens
Hlo&on to ens or Must Hto ens @
6ote that Must mappin& a dri,e does not create aninteracti,e lo&on to the tar&et so this is not enou&hto create an access to en@
8/10/2019 Insidious Implicit Windows Trust Relationships
25/42
)ccess to ens %ontain ? and 6T? password hashes "not salted so
$T5 wor s# Did I mention these can 9e read 9( an( local admin! There-ore an( local admin can assume the identit( o- an(
user who lo&&ed in "interacti,el(# since the last re9oot Wor s -or local and domain accounts 9ut (ou alread( ha,e
hashes -or the local accounts so who cares se a domain account a&ainst the domain and an(
domain8connected s(stem
TR)6SITI;6
We Must lo,e access to ens 9elon&in& to domain
admins@ Tast(@
8/10/2019 Insidious Implicit Windows Trust Relationships
26/42
Show o- hands
5ow man( people here ha,e a domain adminaccount!
5a,e (ou e,er lo&&ed on to a s(stem and then didn:tre9oot it a-terwards!
) user:s s(stem!
)ll this -or P @ ! %an (ou 9elie,e it!
8/10/2019 Insidious Implicit Windows Trust Relationships
27/42
8/10/2019 Insidious Implicit Windows Trust Relationships
28/42
8/10/2019 Insidious Implicit Windows Trust Relationships
29/42
So implicit trusts
;wn a 9o own all local accounts ?ocal account ha,in& same password across
multiple s(stems own them all ;wn a 9o "ma(9e# own all domain accounts
that lo&&ed on within the last N lo&ons ;wn a 9o own all accounts that lo&&ed on
since the last re9oot )n( other account on an( other local 9o or in
the domain share that password! ;wn that too@
TR)6SITI;6
8/10/2019 Insidious Implicit Windows Trust Relationships
30/42
6i&htmare
sers &ranted local admin to their own 9o Same local )dministrator password on all user
9o es@@@ @@@includin& 9o es on the des s o- IT sta-- IT sta--er lo&s into her own 9o with domain
admin account )ll users could own the domain simpl( ,ia trust
relationships
TR)6SITI;6
It:s also 9ad when (ou ha,e ser,ers where lots o-
users includin& pri,ile&ed ones lo&on interacti,el(@
)lthou&h not completel( tested or studied we ha,eseen most domain users: access to ens on an' chan&e ser,er in at least one en,ironment@ Thisimplies that at least in some situations ;utloo :sconnection to the ' chan&e ser,er constitutes an
interacti,e lo&on and creates an access to en there@
8/10/2019 Insidious Implicit Windows Trust Relationships
31/42
We ma e &raphs
?ocal admin account trusts Domain admin access to en trusts
These &raphs are -rom a recent internal assessment@6etwor had around 1 700 Windows 9o es wesampled a9out 1 00 o- them to &et the data -or
these &raphs@
Gou can:t read the la9els on an(thin& in the &raphson purpose@
8/10/2019 Insidious Implicit Windows Trust Relationships
32/42
Blue o,als are hosts red 9o es are credentials"username+password com9ination# and (ellow spotsare the domains "domain controllers to 9e speci-ic#@
The Hcredentials in this one are local administrati,eaccounts so this represents local account trusts -oradministrati,e le,el users "admin on hosts and+or thedomain controllers#@
.1 =00 hosts in,ol,ed in trusts with at least one
other man( with man( others includin& the domain@
8/10/2019 Insidious Implicit Windows Trust Relationships
33/42
Blue o,als are hosts red 9o es are credentials"username+password com9ination# and (ellow spotsare the domains "domain controllers to 9e speci-ic#@
The Hcredentials in this one are local adminaccounts so this shows local account trusts -oradmin le,el users "admin on hosts and+or the domaincontrollers# 'Q%'$T that this time the actualH)dministrator accounts are e cluded@ In other
words it:s the same as the pre,ious &raph i- the(
were to -i Must all o- the local H)dministratoraccounts@ ;nl( 12 hosts now in,ol,ed in localaccount trust relationships@ So 9( -i in& the localH)dministrator account on all their 9o es the( canachie,e an order o- ma&nitude impro,ement in Nhosts in,ol,ed@
8/10/2019 Insidious Implicit Windows Trust Relationships
34/42
8/10/2019 Insidious Implicit Windows Trust Relationships
35/42
iti&ation
5ow do we -i this!
I:,e used up all m( time e plainin& the pro9lem 5a,e a nice da(>
Just iddin& I hope@
8/10/2019 Insidious Implicit Windows Trust Relationships
36/42
iti&ation
icroso-t:s pass8the8hash miti&ation paper
Don:t let them &et hashes+to ens+passwords"local admin# in the -irst place
$atch3 &ood passwords3 -irewalls3 etc@ )pplication control + whitelistin& sers not local admins would 9e &ood
Does two -actor auth "smart cards 9iometrics etc@#-i this! 5a,en:t tested 9ut pro9a9l( not due to thenature o- the pro9lem@
8/10/2019 Insidious Implicit Windows Trust Relationships
37/42
8/10/2019 Insidious Implicit Windows Trust Relationships
38/42
iti&ation
I- the( do &et hashes+to ens+passwords ma ethem useless to mo,e around with
6o shared passwords Disa9le local admin accounts Turn o-- networ7 access to unnecessar( accounts
"networ7 and RD$#
8/10/2019 Insidious Implicit Windows Trust Relationships
39/42
iti&ation
?imit lateral mo,ement %lient -irewalls "not Windows -irewall in Hdomain
mode# 6etwor7 se&mentation %lient isolation "pri,ate O?)6s#
or these t(pes o- attac s we:re tal in& a9outWindows networ in& ports "13 813 == # -or themost part@
8/10/2019 Insidious Implicit Windows Trust Relationships
40/42
iti&ation
?imit pri,ile&e escalation protect pri,ile&edaccount hashes+to ens especiall( domainadmins
Reduce num9er o- pri,ile&ed accounts $ri,ile&e separation ;nl( use pri,ile&ed accounts on a limited num9er o-
more trusted3 more secured and isolated hosts
?)ST S?ID'
8/10/2019 Insidious Implicit Windows Trust Relationships
41/42
8/10/2019 Insidious Implicit Windows Trust Relationships
42/42